In today's economy, in many areas collaboration between organizations is becoming an essential requirement to meet objectives. Collaboration between organizations typically involves extended negotiations between humans in order to come to terms with, for instance, a set of legal documents, formalising the collaboration in contractual form. Depending on the type of objective, the collaboration has to be reflected to a varying extent on the Information and Communication Technology (ICT) layer as well.
An example for such a collaborative environment is a Virtual Organization (VO). A VO is defined as a temporary or permanent coalition of geographically dispersed individuals, groups, organizational units or entire organizations that pool resources, capabilities and information to achieve common objectives. Security requirements are of major concern because such a collaboration typically involves a great deal of exposure of confidential data of the various VO members. Otherwise independent organizations may even participate in more than one VO at a time where the VOs are in direct competition to each other.
Typically, collaborations may be modelled in terms of the corresponding workflow processes. Such processes may include tasks which are to be performed by the various VO members within their respective domains. Certain tasks may need to comply with certain control aspects, that is, for example a specific task may only be performed by a person in a specific role to ensure that the person is authorized to perform the task.
One implementation to deal with this process control issue regarding the authorization example in the past was to add a corresponding authorization object to the coding of a respective task of the workflow process. This was typically done manually by a programmer. Another implementation to deal specifically with authorization control issues includes task based authorization instead of an object based authorization. Under this approach an authorization step is introduced into the process model. The authorization step can be considered as the analogon of a single act of granting a signature in the paper world. The authorization step is associated with a group of trustees and corresponds to a task within the broader context of a workflow. One member of the trustees will eventually grant the authorization-step when the authorization-step is instantiated. Permissions required to invoke and grant the authorization step as well as permissions that are enabled by every authorization-step are modelled for each authorization step in the process. Each authorization step may include the information about a corresponding authorization table where the respective authorization information can be found.